ModSecurity Rules Updater by Sergio Cabrera

ModSec AutoUpdater ver 1.09 (07/17/2012) Last Revised: 07/17/2012

Here is an automatic modsec rules auto updater, is easy to use, and you have to follow just a few guidelines to use it.

It is free to use and we don't assume any responsibility in the use of the script, use it at your own risk.

How to use it:

Download GotRoot rules from www.GotRoot.com and save it in your /tmp file.
Save the script in its own folder and make the script executable (chmod u+x)
At running time the script will ask you for the file version, nothing else, then it will do everything automatically for you.
So, for example, if the rule file is called modsec-201001121214.tar.gz, you will have to write "201001121214".
The script will test Apache to check everything was fine, if it is, you could restart apache from there or do it later manually.
The script will save a backup with your actual rules before it does the update, if Apache gives any error, you can manually restore everything on its place.
Read any text inside the file for any last minute config or update.

How the script works:

The script checks that the rule file is already saved on the /tmp directory.
It unpacks everything in a temporary folder.
Modifies some rules to be 100% compatible with CPanel.
Saves the actual rules in a directory, just in case needed to do a manual restore.
Replaces all the modsec_rule files with the new ones.
Checks that Apache runs with the new rules.
AutoUpdater now reverts changes made when Apache fails (read Comment 5).
Deletes all the temporary files used.
The script ends.

The use of this script is at your own risk and we don't assume any responsibility.

ENJOY IT!

CLICK HERE to DOWNLOAD

the rule updater ver 1.09

REQUIREMENTS:

In order for the ModSec Rules from GotRoot or ASL to work, you NEED to have the files MODSEC2.CONF and MODSEC2.USER.CONF configured as follows:

MODSEC2.CONF:
This is the default configuration file used by CPanel, don't write anything
in here EasyApache will save the default configuration every time it is used.

LoadFile /opt/xml2/lib/libxml2.so
LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so

SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"

MODSEC2.USER.CONF:
This is the file where you can write anything that you want that ModSec rules do.
If you are using GotRoot or ASL rules, this is how you need to set it.

SecComponentSignature 201205101758
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# USE THE FOLLOWING TWO COMMANDS ONLY IF YOU HAVE MOD_SEC 2.6.X or better
# SecPcreMatchLimit 50000
# SecPcreMatchLimitRecursion 5000

# ConfigServer ModSecurity whitelist file remove the mark if you are using ConfigServer CMC.
# Include /usr/local/apache/conf/modsec2.whitelist.conf

#ASL Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf

Posted on February 14th, 2010
Happy Valentines Day!

Comment 1 (03/20/2010) revisited (07/17/2012):

Inside the file UPDATER.SH you will see some command lines that deletes some rules that are for ASL or ASL Lite, these lines are:

##########

# IF YOU DON'T HAVE ASL LITE OR ASL HARDENING IN YOUR SERVER, THEN
# THE FOLLOWING RULES ARE NOT NEED IT:
##########
rm -f 00_asl_rbl.conf
rm -f 05_asl_scanner.conf
rm -f 11_asl_data_loss.conf
rm -f 15_asl_paranoid_rules.conf
rm -f 40_asl_apache2-rules.conf
rm -f 70_asl_csrf_experimental.conf
rm -f 98_asl_jitp.conf
rm -f 99_asl_a_redactor.conf
rm -f 99_asl_redactor.conf
rm -f 99_asl_redactor_post.conf
rm -f 99_asl_scanner.conf

##########

Comment 2 (04/09/2010):

A new version 1.03 was uploaded, it fixed instructions for the ADDON.

Comment 3 (05/09/2010):

If you have already updated your modsec to the new 2.5.12+ MODSECURITY in CPanel, you need to have two new commands in MODSEC2.USER.CONF file, they are:

SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

Remember to modify your MODSEC2.USER.CONF in order for the GotRoot rules to work. Also, you will need to modify your PHP.INI to include the following two commands:

pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000

Comment 4 (07/21/2010):

Delayed GotRoot rules are not saved on the /modsec directory as the payed ones are, then our script was not saving the rules on the correct folder, we have uploaded ver. 1.04 so this could be checked prior to set the new rules in action.

Comment 5 (08/12/2011):

New AutoUpdater ver. 1.07 now has the ability to revert automatically any changes made in case Apache is not working with a new set of rules.

Comment 6 (05/10/2012):

AutoUpdater ver. 1.07 has been stable and there has not been any changes on the script.

HAPPY MOTHER'S DAY!

Comment 7 (07/02/2012):

AutoUpdater ver. 1.08 has a new command to delete a new set of rules that are only for ASL.